5

Recently, I opened a new checking account a national US bank. The branch of this bank was very modern, and they even had a wall of screens behind the teller's desk.

When I was meeting with an advisor to open an account, he turned his monitor around to show me something, and I noticed he was running Windows 2000 on his machine. I thought this was rather odd, considering that this was one of the largest banks.

So my question is:

  • Is it possible that those systems are actually running, say, Windows 7, and are just skinned as Windows 2000 systems in order to throw off attackers?
  • Or is it likely that these systems are actually running Windows 2000, which would seem to be a demonstration of poor security?
WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104
Chandler Freeman
  • 173
  • 5
  • They were most likely using Windows 2000 computers. Windows 7 has the ability to appear like older versions of Windows, except the start button has a more modern Windows logo. But really no big deal if they're using an outdated OS. – Jonathan Gray Jan 12 '16 at 18:19
  • @Chandler: I'd be interested in the name. – StackzOfZtuff Jan 12 '16 at 18:24
  • 7
    You must not have dealt with banks before. Banks are EXTREMELY resistant to change, and are one of the definitions of a dinosaur. As an example, at least in 2012, it was still common for ATM machines to run OS/2. OS/2 that was never very popular, and even those that did run it stopped using in around 1995-1996. http://brobible.com/guyism/article/why-your-atm-uses-os2-a-25-year-old-operating-system/ So I'd say your bank is still running WIndows 2000. – Steve Sether Jan 12 '16 at 18:46
  • 1
    some banks here in Canada run Windows XP on the workstations – schroeder Jan 12 '16 at 19:04
  • 1
    This was likely running Win 7 or similar without the Aero skin as a measure to increase efficiency, not enhance security. Pretty common practice via GPO. Likely can get some solid answers as to why that is common in the industry on Super User or Server Fault. –  Jan 12 '16 at 19:43
  • Did you actually see the words "Windows 2000" on the screen? Or did you recognize the look and feel as Windows 2000? – TTT Jan 12 '16 at 22:25
  • 2
    @SteveSether I've seen a bank using a 1980s telnet system... in 2013. :D – Mark Buffalo Jan 13 '16 at 04:12
  • They were probably using what you saw, it's too expensive to upgrade those legacy systems. – Arlix Jan 13 '16 at 10:56

1 Answers1

7

No, it is not a practical security measure. I'm not going to speculate on the specific case you mentioned as I don't have all of the facts, but there are a couple of more generally relevant points.

First: Attackers do not determine which attacks might work based on the desktop chrome. They're going to figure out what the OS actually is, by any number of mechanisms. In addition, if someone were to have such a wacky idea, it would make far more sense to to attempt to pretend that a machine running an older, more vulnerable OS was newer, rather than the reverse described. Attempting to disguise Windows 7 machines as Windows 2000 by way of a desktop background would be not only useless, but uniquely and bizarrely useless.

Second: Withholding information about an OS from attackers is generally recognized to be a good practice, but of very minor importance. You'll see it regularly in pen-test results of web applications, for instance. There will be findings, deemed to be of low importance, suggesting the removal of headers identifying the web server software, or OS, or version, or the web application framework. They're findings because they can deter the very laziest or incompetent of attackers, but nobody would suggest that they would thwart a serious adversary from affecting a compromise, or even figuring out what the underlying technology really is.

So no, the case you described is most certainly not a security measure.

Xander
  • 35,525
  • 27
  • 113
  • 141
  • I agree with Xander. OP, I applaud you for thinking outside the box, but no, this is almost never a practical security measure. – Mark Buffalo Jan 13 '16 at 04:13
  • @Cander: actually _a lot_ of people claim that removal of identifying headers thwarts all kinds of attackers. This does not make it true, of course; but it still is a very widespread misconception. – Thomas Pornin Jan 13 '16 at 21:29